Back to skill

Security audit

公众号黑马账号推荐

Security checks across malware telemetry and agentic risk

Overview

The skill appears to provide the advertised ranking lookup, but it also searches shell startup files for an API key and sends credentials to a third-party service, so it needs review before installation.

Install only if you are comfortable with the skill using a RedFox API key and making outbound requests to the ranking service. Prefer setting REDFOX_API_KEY only in the active session or a scoped secrets store, avoid putting unrelated secrets in shell profile files, and review any request carefully before allowing it to fetch data.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
Findings (10)

Lp3

Medium
Category
MCP Least Privilege
Confidence
92% confidence
Finding
The skill documents capabilities to read environment variables, read local shell configuration files, and make outbound network requests, but it does not declare equivalent permissions or clearly scope them. This creates a transparency and consent problem: a user may invoke a seemingly simple ranking lookup skill without realizing it can inspect local files for secrets and transmit data to an external service.

Tp4

High
Category
MCP Tool Poisoning
Confidence
97% confidence
Finding
The documented behavior goes beyond a simple 'view official growth rankings' skill: it accesses local shell config files to recover credentials, depends on a third-party service, and may calculate or reorder results using its own scoring logic. That mismatch is dangerous because users may grant trust based on the advertised purpose while the skill performs additional local secret access and remote data handling they did not reasonably expect.

Intent-Code Divergence

Low
Confidence
78% confidence
Finding
The documentation gives conflicting assurances about API-key handling by saying the key is read only from environment variables while elsewhere permitting fallback reads from shell startup files. Inconsistent security documentation can mislead users about where sensitive data may be accessed from and prevents informed consent about local secret discovery behavior.

Context-Inappropriate Capability

Medium
Confidence
94% confidence
Finding
The spec instructs the skill to read API credentials from users' shell startup files (~/.bashrc, ~/.zshrc, ~/.bash_profile, ~/.profile), which is broader filesystem access than needed for a simple ranking lookup. In an agent context, this expands access into sensitive local configuration that may contain unrelated secrets, increasing the risk of over-collection or accidental disclosure if the skill or surrounding tooling mishandles file contents.

Context-Inappropriate Capability

Medium
Confidence
92% confidence
Finding
The script reads multiple shell init files in the user's home directory to discover credentials automatically, which exceeds the minimum access needed for a simple ranking fetcher. Even though it appears intended as a convenience feature, silently scanning local config files can expose unrelated secrets or normalize unexpected access to sensitive user files.

Missing User Warnings

Medium
Confidence
90% confidence
Finding
The API spec describes sending an API key and harvesting it from multiple local sources, including shell profile files, but gives no user-facing warning about credential handling, privacy scope, or what local files may be accessed. In a skill ecosystem, missing disclosure undermines informed consent and can cause users to expose secrets without realizing the skill may inspect broader local configuration.

Vague Triggers

Medium
Confidence
89% confidence
Finding
The workflow instructs the agent to default ambiguous requests to a real data query for the previous day's ranking, which can cause unintended external actions and disclosure of fetched content without clear user confirmation. In an agent setting, broad ambiguity handling increases the chance of over-triggering the skill on casual mentions or unclear requests, reducing user control and making misuse easier.

Vague Triggers

Low
Confidence
84% confidence
Finding
Using the generic phrase "公众号增长榜" as a trigger is overly broad and may match conversational or analytical discussion rather than a request to execute the skill. In this skill's context, that can cause unintended script invocation and automatic retrieval of ranking data, though the impact is limited because the action is read-oriented rather than directly destructive.

Missing User Warnings

Medium
Confidence
94% confidence
Finding
The skill accesses sensitive local shell configuration files to extract credentials without an explicit, user-facing consent or warning. In agent/skill contexts, this is dangerous because users may not expect a data-fetching utility to inspect personal startup files, and those files can contain more than the targeted key.

Missing User Warnings

Medium
Confidence
89% confidence
Finding
The script transmits an API key and request metadata to an external service without making that network disclosure explicit to the user. While sending the key is necessary for authentication, the lack of transparency is a security/privacy concern in a skill setting where external network access and credential use should be clearly communicated.

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

No suspicious patterns detected.